Applying ACL to vty in IOS-XR

Unanswered Question
May 12th, 2011

Hi.

I am trying to apply acl:s to vty on a ASR9k router.

I am doing the following, and this works...

! IOS-XR
!-------
ipv4 access-list VTY-ACL
 10 permit ipv4 10.0.0.0 0.0.0.255 any
 20 deny   ipv4 any any log
!
ipv6 access-list VTY-ACL
 10 permit ipv6 2001:DB8::/32 any
 20 deny   ipv6 any any log
!
vty-pool default 0 10
line default
 access-class ingress VTY-ACL
!

The ssh tcp port is still open from any host though. I am not beeing able to log in from other host but the ones specified in the acl:s, but it is possible to portscan tcp 22 from anyhost.

Any suggestions? When applying ACL directly on mgmt interface the port gets blocked.

Regards

Andreas

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Bryan Garland Fri, 06/03/2011 - 11:04

Andreas,

This is not the preferred way to do this for the exact reasons you describe.  The better way to do this is via MPP, management plane protection.  This allows us to program the hardware via LPTS to drop unwanted requests in hardware instead of having to have software deal with it.

http://www.cisco.com/en/US/docs/routers/asr9000/software/security/configuration/guide/scasr9kmpp.html

Thanks,

Bryan

Xander Thuijs Mon, 12/08/2014 - 09:01

You can Joseph, but it there are better options.

This is how to apply the access-class a-la ios :

line default
 access-class ingress MYACL

the line template default needs to be associated with your VTY pool or SSH pool right like this:

vty-pool default 0 4 line-template default


and of course telnet daemon needs to run:

telnet vrf default ipv4 server max-servers 4

The reason why this is not preferred is because all the traffic received for us-telnet uis processed by the hardware on teh LC and sent to the RP. then goes through all the forwarding chain until telnet verifies it agaisnt the ACL and says ok deny.

Using MPP, which is hardware based, we can drop packets immediately in the hardware so they are not further forwarded and saves system resources and provides better protection.

Google asr9000 local packet transport services to find a good write up on LPTS and more details about the management plane protection MPP.

 

cheers!

xander

 

joseph hatem Thu, 12/11/2014 - 06:53

thank you xander for you reply.

 

i wanted to know if we can do the same on asr5000 and not asr 9000.

 

Please can you advise on this point ?

thx

Joseph

 
 
Xander Thuijs Thu, 12/11/2014 - 07:14

I don't know the asr5000 well enough to comment on that Joseph...

I have forwarded this discussion to their support group to see if they can comment and add their expertise.

cheers

xander

Actions

Login or Register to take actions

This Discussion

Posted May 12, 2011 at 7:14 AM
Updated May 12, 2011 at 7:37 AM
Stats:
Replies:6 Overall Rating:
Views:1949 Votes:0
Shares:0
Tags: asr9k, ios-xr
+

Related Content